Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in Consumer Privacy, Privacy & Security Litigation

The Ninth Circuit Revives Consumer Class Action, Finding Intangible Harm Sufficient to Confer Article III Standing

The six-year fight over the type of harm a plaintiff must allege to satisfy the “injury in fact” requirement for lawsuits alleging false reporting of credit information took its latest turn this week.  On Tuesday, August 15, 2017, the U.S. Court of Appeals for the Ninth Circuit, on remand from the United States Supreme Court, issued its opinion in Spokeo, Inc. v. Robins, a highly-watched case challenging whether a plaintiff can satisfy Article III standing based solely on a technical violation of the Fair Credit Reporting Act (FCRA).  Plaintiff Thomas Robins brought a putative class action for willful violations of the FCRA against Spokeo, Inc., a company that generates profiles about people based on publicly available data.  Among other things, Robins averred that Spokeo published an allegedly inaccurate profile about him on its website and therefore harmed his employment prospects at a time when he was out of work.  The Ninth Circuit’s three-judge panel held that the publication of materially inaccurate information about Robins sufficed as concrete injury for purposes of Article III standing, even without specific allegations of tangible harm from that publication.

Continue Reading

Posted in Employment Privacy, International/EU Privacy

New Case Law on Restrictions for Employee Monitoring in the Workplace in Germany

According to the German Federal Labor Court, Germany’s highest court for employment disputes, German employers are not allowed to monitor employees in the workplace without a concrete suspicion of a criminal violation or, in some cases, a serious breach of duty (judgment dated July 27, 2017, case ref. 2 AZR 681/16). This means that employer monitoring of an employee’s computer usage without a concrete suspicion, including the use of keylogging software that records all keyboard entries made at a desktop computer does not comply with German data privacy laws. Courts may exclude evidence obtained under violation of German data privacy laws from their proceedings. Continue Reading

Posted in International/EU Privacy

Russian Data Protection Authority Publishes Privacy Policy Guidance

On 31 July, the Russian data protection authority, Roskomnadzor, issued guidance for data operators on the drafting of privacy policies to comply with Russian data protection law. Russia’s 2006 privacy law – Federal Law No. 152-FZ of 27 July 2006 “On Personal Data” (Personal Data Law) – requires, among other things, that Russian data operators must adopt a privacy policy that describes how they process personal data. This notice requirement is similar to the approach in Europe. Furthermore, data operators shall publish such a policy online when personal data is collected online or otherwise provide unrestricted access to the policy when personal data is collected offline. The guidance – although non-binding and recommendatory in nature – emphasizes the regulator’s compliance expectations and should therefore be taken into account by organizations acting as data operators in Russia. Continue Reading

Posted in Cybersecurity & Data Breaches, Privacy & Security Litigation

CPR Appoints New Cyber Panel Ahead of Anticipated Increase in Data Security Disputes

The International Institute for Conflict Prevention and Resolution, a New York-based organisation offering Alternative Dispute Resolution (ADR) services, has recently announced the launch of a new specialised panel of neutrals, commissioned to deal with cybersecurity disputes. The Cyber Panel is composed of experts in cyber-related areas such as data breaches and subsequent insurance claims. In a press release, Noah Hanft, President of CPR, described the new panel as guiding the “critical effort” by businesses to “prevent and/or resolve cyber-related disputes in a manner that best protects operations, customers and reputation” due to attacks now occurring with increased frequency and sophistication. Continue Reading

Posted in International/EU Privacy

UK Government Releases Statement of Intent on Proposed Data Protection Bill

On 7 August 2017, the UK Department for Culture, Media and Sport (DCMS) published its Statement of Intent on a proposed Data Protection Bill, which will replace the current UK Data Protection Act 1998 (DPA).

Continue Reading

Posted in Cybersecurity & Data Breaches, Financial Privacy

A Guide to NYDFS Cybersecurity Regulations’ August 28 Implementation Deadline

As a follow-up to our previous reports (December 30, 2016 Alert; February 24, 2017 Alert) regarding the cybersecurity regulations issued by the New York State Department of Financial Services (NYDFS), we would like to remind covered entities that the first of several implementation deadlines is this month, on August 28, 2017. To help you prepare, we are providing here an overview of the August 28, 2017 implementation requirements for covered entities.

In addition to this overview, covered entities may also turn to the NYDFS’ Frequently Asked Questions Regarding 23 NYCRR Part 500 as a helpful resource in preparing for implementation. Continue Reading

Posted in Consumer Privacy

FTC Schools “Smart” Toys with Updated COPPA Compliance Guidance

The Federal Trade Commission (“FTC”) released an updated guidance document for complying with the Children’s Online Privacy Protection Act (“COPPA”).  The revised guidance, released on June 21, 2017, explicitly identifies connected toys and other Internet of Things devices as being covered under COPPA and adds clarity to web operators’ responsibility for the activities of third parties, such as ad networks and plug-ins, that collect personal information protected under COPPA.  It also includes recently approved methods for obtaining verifiable parental consent. Continue Reading

Posted in Cybersecurity & Data Breaches

Bipartisan Group of Senators Introduce Bill to Impose Baseline Security Requirements for IoT Devices Provided to U.S. Government

On August 1, a bipartisan group of four senators introduced a bill that would impose specific cybersecurity requirements on providers of Internet of Things (IoT) devices when doing business with the U.S. Government and provide liability protections for security researchers who disclose vulnerabilities affecting these devices. Though the bill’s security requirements would apply only in cases where entities are acting as contractors to the U.S. Government, if enacted, it likely would be influential on IoT vendors operating in the consumer context as well. The bill is largely consistent with an ongoing multistakeholder effort led by the National Telecommunications and Information Administration (NTIA) aimed at developing voluntary security standards for Internet-connected devices.

Continue Reading

Posted in Cybersecurity & Data Breaches

The FTC and Industry Propose Best Practices for IoT Security Updates

How do you ensure that an Internet-connected sensor or device—often inexpensive and designed for lifespans of up to 20 years or more—can be secured against not only the intrusions of today but also those of the future? This question has taken on new urgency as low-cost Internet-connected devices are increasingly being co-opted into massive networks, known as “botnets,” that are capable of causing widespread disruption.

Both government regulators and industry have been working together to solve this and related questions by developing best practices for mitigating security risks from unpatched or unsupported devices. As we discussed in January, the National Telecommunications and Information Administration (NTIA), an independent agency within the Department of Commerce, is leading a multi-stakeholder process to consider opportunities and challenges associated with the Internet of Things (IoT). Since then, a working group convened by the NTIA has published a draft set of industry best practices for communicating to consumers when patches are available and when device manufacturers support sunsets. The Federal Trade Commission (FTC), consumer representatives and industry have submitted comments discussing these issues. Continue Reading

Posted in Cybersecurity & Data Breaches

National Association of Corporate Directors Updates Cyber-Risk Oversight Handbook

Earlier this year, the National Association of Corporate Directors (NACD) released an updated version of its Director’s Handbook on Cyber-Risk Oversight (Handbook). The updates add 16 pages of content to the previously 28-page document, including four additional appendices. While the use of and compliance with the Handbook is not mandatory, the Handbook is influential in shaping governance practices and thus it is prudent for those involved in corporate governance to familiarize themselves with the changes. Continue Reading